This SecureWorks Security Advisory is an update to a previous advisory. It corrects a domain name, adds an associated IP address, and includes additional information and clarifications regarding the worm's capabilities and impact.

SecureWorks is aware of an outbreak of an email worm that uses Windows Management Instrumentation (WMI) scripting and other techniques to aggressively spread on Windows networks.

On September 9, 2010, outbreaks on multiple corporate networks were confirmed by the SecureWorks Counter Threat Unit(SM) (CTU) and corroborated by other researchers.

Although the emails sent by the worm include links to PDF filenames in some instances, this threat is not associated with any of the recent Adobe 0-day vulnerabilities.

Description:

The worm spreads by sending email with a link to what appears to be either a PDF or WMV file. Victims clicking the links are redirected to an executable file with an .SCR (screen saver format) extension. Following the initial infection, the .SCR file downloads and installs several pieces of malware, including password stealers for Internet Explorer, Firefox, Opera, and Chrome web browsers, and a backdoor program identified as Bifrost. These secondary payloads may change, but the worm itself is identified as Visal.A by Microsoft and VBMania by McAfee and is rated as a 'Severe' risk. Previous variants dating back to August 5, 2010, are known by the name Imsolk.A.

After the worm is active inside a network, it attempts to spread using several methods. In addition to sending more email, the worm uses WMI scripting to spread to shared drives and certain folders. It also downloads and attempts to use a legitimate remote program execution tool (psexec.exe) and the privileges of the currently logged-in user to spread to other systems on the network. Psexec combined with domain administrator credentials could allow the worm to easily spread to virtually every system on the domain.

Although the worm downloads password recovery tools or 'revealers', there is no evidence that the worm exfiltrates those passwords. One theory is that the attacker would access the infected computer via the Bifrost backdoor to collect recovered password information. The backdoor itself also has the capability to steal passwords and log keystrokes.

The name members[dot]multimania[dot]co[dot]uk and its IP address, 213.131.252.251, point to a legitimate website. Blocking it may result in false positive alerts. Other user accounts with that service have been identified that also host similar payload files.

SecureWorks Actions:

The SecureWorks CTU has confirmed that existing iSensor IPS and Managed Snort IDS countermeasures successfully detect the heartbeat traffic of the backdoor that is installed in this campaign.

The SecureWorks CTU is in the process of testing and deploying countermeasures to detect associated malicious activity for the iSensor IPS, Managed Snort IDS and TeraGuard SDA IDS services. In addition, the CTU is evaluating the feasibility of countermeasures specific to this threat and will deploy them where feasible.

SecureWorks will work diligently to deploy updates to third-party managed devices as soon as the respective vendors make them available.

Recommended Actions:

1. Block the email messages generated by the worm.

Work with your secure mail gateway provider to develop and deploy filters that block the email messages associated with this threat.

The message's subject line may contain "Here You Have" and "Just For You". There appears to be no significant pattern to the sender's address. There may be other variants as well.

2. Avoid clicking links in email messages.

Advise users to not click links in email messages, especially in messages from unknown or untrusted sources. Note that users cannot determine if an email link is safe simply by examining the link. Web servers can be configured to redirect the user or deliver benign content besides that indicated by the filename extension used in the link. Verify links and attachments from trusted sources before opening them.

3. Disable AutoRun.

If feasible, disable AutoRun functionality according to the instructions in Microsoft Knowledge Base article KB967715, available here:

http://support.microsoft.com/kb/967715

4. Limit user privileges.

Do not log in as a privileged or administrative user to perform routine computer tasks. The WMI and psexec vectors used by this worm generally require administrator rights to work according to the attacker's design.

5. Secure WMI.

A technical article describing how to secure WMI can be found on the Microsoft Developer Network, available at:

http://msdn.microsoft.com/en-us/library/aa392291%28VS.85%29.aspx

6. Update host and gateway antivirus product signatures.

Several corporate antivirus engines detect some of the payloads associated with this threat. SecureWorks has provided samples of all related malware files to all major antivirus vendors. If antivirus signatures are not yet available, monitor or contact your antivirus vendor(s) for signature update availability.

This worm uses legitimate password recovery and revealer applications as well as a backdoor capable of stealing passwords and digital certificates from web browsers. Malware has proven that default settings for password security in modern web browsers are ineffective. Additional settings, such as setting a master password, are needed to help mitigate this risk. Optionally, users may want to consider using password management programs instead of built-in browser functionality.

8. Reinstall from known-good backups or images.

The worm disables most popular host-based security software and turns off security controls built into Windows 7 and Vista systems, making the system vulnerable to additional threats. The worm has the capability to download and execute arbitrary remote code of the attacker's choosing. Compromised hosts must be reimaged or formatted and reinstalled from known-good media in order to restore confidence in the integrity of the systems.

Impact and Severity:

The SecureWorks CTU has given this issue a rating of "High" based on the following factors:

1. An active attack is underway in the wild.
2. A large number of hosts and several large networks are impacted. 3. Successful attacks will result in remote code execution. 4. Regaining confidence in the integrity of infected hosts requires a complete reinstall. 5. Any infected host on the network can potentially reinfect the network. This capability can complicate remediation.